Seven patterns. Seven failure modes. Seven questions. You've read the articles — this is the retrieval layer.
How to use this: Match what the buyer says to the pattern. Read the failure mode so you know what's coming. Ask the discovery question. The conversation opens.
The Seven Patterns
Pattern 1: Copilot Layer AI assistant surfaced on top of existing applications without replacing the underlying systems.
Buyer says: "We're building a copilot on top of [existing platform]" — or — "We want to give our analysts an AI assistant."
Six-month failure mode: The copilot inherits a service account's broad permissions because nobody scoped a separate identity for it. One analyst's query returns data from a classification tier they shouldn't reach. The access review that should have caught this never ran because the copilot looked like a UI feature, not a new principal.
Discovery question: "What identity does the copilot use when it calls your backend systems — is it the user's credential, a service account, or something else?"
Pattern 2: Agentic Workflow AI agent executes multi-step tasks autonomously, taking actions across systems without per-step human approval.
Buyer says: "We want the AI to just handle it end-to-end" — or — "We're trying to reduce the human touchpoints in this process."
Six-month failure mode: The agent's credential gets rotated on a schedule that doesn't account for task duration. Mid-task auth failure. The agent either fails silently or retries with a cached token that's now invalid. Nobody knows which tasks completed, which didn't, and what state the downstream systems are in.
Discovery question: "When the agent's session expires mid-task, what's the recovery path — and who gets notified?"
Don't confuse with Multi-Agent Orchestration (Pattern 6). A single agent completing a complex task is Pattern 2. Multiple agents coordinating under a primary orchestrator is Pattern 6. The identity architecture is different in each case.
Pattern 3: RAG / Knowledge Retrieval LLM connected to internal data stores via retrieval pipeline; the model answers questions by pulling live organizational content.
Buyer says: "We want the AI to answer questions from our internal documents" — or — "We're connecting the model to our knowledge base."
Six-month failure mode: The retrieval layer doesn't enforce the requesting user's document-level permissions. A user asks a question and the RAG pipeline returns a chunk from a document that user can't read directly. The model helpfully summarizes content the user was never authorized to see.
Discovery question: "Does your retrieval layer check the requesting user's permissions against the source document's ACL before returning a chunk — or does it retrieve first and filter later?"
Pattern 4: Human-in-the-Loop AI generates recommendations or drafts; a human reviews and approves before any action is taken.
Buyer says: "The AI will suggest, but a human always approves" — or — "We want AI to draft, humans to decide."
Six-month failure mode: The approval workflow runs under the approver's identity, but the AI's recommendation was generated using a broader data pull than the approver can see. The approver is signing off on something they can't audit. The human-in-the-loop becomes a formality.
Discovery question: "Can the approving human see every data source the AI used to generate the recommendation they're approving?"
Pattern 5: Embedded Model AI capability integrated directly into an existing application; the model is a feature, not a separate tool.
Buyer says: "We're adding AI to [existing system]" — or — "The vendor is building AI into the platform."
Six-month failure mode: The embedded model runs under the application's existing service identity, which was scoped for the application's original function. The AI feature expands what that identity can reach without triggering an access review. The scope creep is invisible because the principal didn't change.
Discovery question: "When the vendor ships the AI update, does your access review process cover the new data paths the model opens — or does it only fire when a new principal is created?"
Don't confuse with Copilot Layer (Pattern 1). A copilot is a separate surface the user interacts with. An embedded model is a capability change inside an existing application. The identity risk lands differently: copilots create new principals, embedded models expand existing ones.
Pattern 6: Multi-Agent Orchestration A primary agent coordinates multiple specialized sub-agents; tasks are decomposed and delegated across an agent network.
Buyer says: "We're building an agent that coordinates other agents" — or — "We have specialized agents that a master agent will direct."
Six-month failure mode: The orchestrator passes its own credential to sub-agents for convenience. Sub-agents now operate with orchestrator-level permissions regardless of task scope. Least privilege collapses at the first delegation hop, and every hop after that inherits the problem.
Discovery question: "When the orchestrator delegates a task to a sub-agent, does the sub-agent get its own scoped credential — or does it inherit the orchestrator's?"
Pattern 7: Sovereign / Fine-Tuned Model Agency owns or controls the model weights; the model runs in agency-controlled infrastructure, often fine-tuned on agency data.
Buyer says: "We can't send data to a commercial API" — or — "We need the model on-prem" — or — "We're fine-tuning on our own data."
Six-month failure mode: The model is isolated, but the fine-tuning pipeline isn't. Training data ingestion runs with elevated permissions that persist after training completes. The attack surface moved from the model to the pipeline, and nobody updated the threat model to follow it.
Discovery question: "What identity governs your fine-tuning pipeline, and does that credential get rotated after each training run?"
If you remember nothing else: The pattern determines the threat surface. The threat surface determines the identity architecture. Get the pattern right in the first ten minutes or you'll spend the rest of the call solving the wrong problem.
Vocabulary Collision Zones
Three terms that mean something different in AI than they do in IDAM — and where the gap creates real risk in the conversation.
| AI Term | What It Means in AI | IDAM Equivalent | Key Divergence |
|---|---|---|---|
| Agent | Autonomous software process that perceives inputs and takes actions to complete a goal | Service principal / non-human identity (NHI) | An AI agent may spawn sub-agents, chain tool calls, and persist across sessions. A static service principal wasn't designed to govern delegation depth — only the principal itself. When a buyer says "agent," ask how many layers deep the delegation goes. |
| Session | Context window / conversation span — the model's working memory for a given interaction | Authenticated session with expiry, refresh, and revocation | An AI context window can outlast the authenticated session that initiated it. The model keeps operating after the user's token expires. Nobody revoked the context. In most current implementations, that's the default behavior, not an edge case someone engineered around. |
| Trust / Delegation | Confidence in model output accuracy; authorization for the model to call a tool | Federation trust / OAuth delegation | In IDAM, trust is explicit, scoped, and auditable. In AI systems, "the model is trusted to call this tool" is typically a config flag — no expiry, no scope constraint, no audit trail. The word is identical. The governance is not. |
Pattern Confusion Index
These pairs get mixed up in discovery. Name the distinction early.
Agentic Workflow vs. Multi-Agent Orchestration: One agent completing a complex autonomous task is Pattern 2. Multiple agents coordinating under a primary orchestrator is Pattern 6. The credential architecture is different: Pattern 2 needs durable session management for a single principal; Pattern 6 needs scoped delegation at every handoff point.
Copilot Layer vs. Embedded Model: Copilots create new principals. Embedded models expand existing ones. The buyer often can't tell the difference from their side of the conversation — ask whether the AI capability has its own login or runs inside an existing application.
Human-in-the-Loop vs. Agentic Workflow: The buyer will sometimes describe Pattern 4 as "we have a human approving everything" while the underlying system is running Pattern 2 autonomously up until the approval gate. Both patterns can coexist in the same deployment. Check what the agent does before the human sees it.
Source Index
| Pattern | Source Article | What It's For |
|---|---|---|
| Copilot Layer | Mapping the Copilot Identity Surface | Scoping new principals correctly |
| Agentic Workflow | When Agents Act: Credential Lifecycle for Autonomous Tasks | Session and token durability |
| RAG / Knowledge Retrieval | Retrieval Pipelines and Permission Inheritance | ACL enforcement at retrieval |
| Human-in-the-Loop | Approval Workflows and Audit Completeness | Closing the audit gap |
| Embedded Model | Vendor AI Features and Access Creep | Catching scope creep early |
| Multi-Agent Orchestration | Delegation Chains and Least Privilege Collapse | Scoping sub-agent credentials |
| Sovereign / Fine-Tuned Model | On-Prem Models and Pipeline Identity Risk | Securing the training pipeline |